The number of U.S. data compromises reported during the first three quarters of 2023 exceeded the previous annual record of data events by 14% with three months left in the year, and the data shows nonprofits are not immune from attacks.
The Identity Theft Resource Center (ITRC) in San Diego tracked 22 data compromises at nonprofits impacting more than 7 million people during the third quarter (Q3). That is up from 16 compromises impacting more than 65,000 people during Q3 of 2022 and 21 compromises impacting 143,000 people during Q3 2021.
The numbers do not include education, where there were 42 compromises, and health care with 113 compromises. The data does not break out which health care organizations were nonprofit entities.
For the nine months ending Sept. 30, there have been 2,116 data compromises reported, including 733 during Q3. The number of year-to-date (YTD) data compromises surpasses the previous annual record of 1,862 reported events set in 2021, according to data from the ITRC.
There were 69 compromises at nonprofits during the first nine months of the year, according to ITRC data.
Cyberattacks continued to be the most frequently reported root cause of a data breach in Q3, with 614 notices issued. More than half of breached entities (386) did not report an attack vector. However, among those that did, phishing attacks were the most frequently reported cause.
Zero-Day Attacks (69) exceeded ransomware (64) and malware attacks (17). However, with more entities not reporting an attack vector than those that did, it is difficult to be precise about the rate of specific attack vectors, according to officials at the ITRC.
Supply chain attacks impacted a large number of entities in Q3, even though they were not directly attacked. More than 1,300 (1,321) organizations reported data compromises as the result of an attack against 87 suppliers, including many third parties that used the MOVEit file transfer software. So far in 2023, 344 U.S. organizations have been impacted by a single or multiple vendor(s) using a vulnerable MOVEit product.
An additional 79 organizations have reported being directly impacted by attacks against MOVEit software or services. Four of the top 10 compromises in Q3 were related to a MOVEit attack, according to the ITRC researchers.
The rise in compromises can also be attributed to a new wave of ransomware attacks as cybercrime groups return after being sidelined in the first year of the war in Ukraine, along with new ransomware groups entering the criminal environment, according to ITRC officials. That is consistent with the number of data breaches attributed to ransomware (186) exceeding the number of malware attacks so far in 2023. However, malware is also up in 2023 with 106 related compromises versus 68 in full-year 2022.